VLANs in Raspberry Pi + managed switch

grond · May 10, 2025, 3:44am

Hey all!

I currently have this set up:

I'm trying to set up VLANs to separate LAN, Guest, IoT, etc, but the Wiki isn't really extensive for cases where the switch is outside, and I'm at a loss.

I have VLANs set up in the switch like this:

and the PVID of all ports is 1

For simplicity I'll omit the VPN stuff. They can be removed and added back later if needed.
(the complete config files can be found in this post)

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.10.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipv6 '0'
	option delegate '0'
	list dns '10.2.0.1'

config interface 'WAN'
	option proto 'dhcp'
	option device 'eth1'
	option peerdns '0'
	option ipv6 '0'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option logfacility '/tmp/dnsmasq.log'
	option quietdhcp '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option name 'switch'
	list mac '*****'
	option ip '192.168.10.9'
	option leasetime 'infinite'
	list match_tag 'known'

This is what I tried to do, as a starter:

# /etc/config/network
uci add network bridge-vlan # =cfg11a1b0
uci set network.@bridge-vlan[-1].device='br-lan'
uci set network.@bridge-vlan[-1].vlan='10'
uci add_list network.@bridge-vlan[-1].ports='eth0:t'
uci set network.lan.device='br-lan.10'

Also tried:

# /etc/config/network
uci set network.lan.device='eth0.10'

In either case I loose connection and have to wait for Luci to revert changes.

What am I doing wrong?

psherman · May 10, 2025, 4:16am

With a Pi, it's pretty straight forward.

In /etc/config/network, add two new interfaces like this:

config interface 'guest'
	option device 'eth0.10'
	option proto 'static'
	option ipaddr '192.168.100.1'
	option netmask '255.255.255.0'

config interface 'iot'
	option device 'eth0.20'
	option proto 'static'
	option ipaddr '192.168.200.1'
	option netmask '255.255.255.0'

Add DHCP servers (/etc/config/dhcp):

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'

Add both the iot and guest networks to the lan firewall zone (for now) and then reboot.

On the switch, you will need VLAN 20 added to at least one other port as it doesn't have a place to go (port 5 is the only port that is currently a member).

I would recommend that you test this (at the switch) by setting up a port per-VLAN. This only needs to be a quick test, but proves that everything is working. For example, keep port 1 as VLAN 1 untagged + PVID. Then port 2 can be VLA N 10 untagged + PVID, and port 3 will be VLAN 20 untagged + PVID. From there, you can connect your computer to each port to verify the VLAN is working.

Once all of that is done, you can adjust the firewall to achieve whatever specific goals you have for those networks (likely isolating them from your trusted lan) and then finally change the switch back to a config that is useful for your normal use and setup your APs.

grond · May 10, 2025, 3:27pm

Thanks!

Follow your instructions and everything works in the router.
Simplified for just lan + vlan.30 for the time being.
When connecting to port 1 in the switch (vlan.30 untagged) all is well. I get a proper 192.168.30.0/24 IP address, can reach vpn zone, resolve names, can't ping lan IPs, etc.

The AP itself, if set as DHCP client, will get an IP and connect. Ping openwrt.org from the AP's SSH also works.
When I connect to the AP wifi, though, the client doesn't get the dynamic IP.

This are AP's configs:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'lan1'
	option macaddr '***'

config device
	option name 'lan2'
	option macaddr '***'

config device
	option name 'lan3'
	option macaddr '***'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.10.3'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.10.1'
	list dns '192.168.10.1'

config interface 'guest'
	option device 'lan3.30'
	option proto 'static'
	option ipaddr '192.168.30.3'
	option netmask '255.255.255.0'
	option gateway '192.168.30.1'
	list dns '192.168.30.1'

config device
	option name 'wan'
	option macaddr '***'
config device
	option type 'bridge'
	option name 'br-guest'
	option bridge_empty '1'
	option ipv6 '0'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	list server '192.168.10.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

(note: should I add DNS forward to 192.168.30.1 as well?)

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config rule
	option name 'Guest_Allow_DHCP'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Guest_Allow_DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option band '2g'
	option channel 'auto'
	option htmode 'HT20'
	option country 'BR'
	option cell_density '0'
	option beacon_int '1500'
	option txpower '22'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid '(lan SSID)'
	option encryption 'psk2'
	option key '***'
	option wds '1'
	option isolate '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid '(guest SSID)'
	option encryption 'psk2'
	option key '***'
	option isolate '1'
	option network 'guest'

(plus radio1, which is disabled for now)

psherman · May 10, 2025, 3:39pm

Yup... as expected based on your config. You need to use DSA/bridge-VLAN constructs.

Ok. Previously we had been talking about VLANs 1, 10, and 20. All that matters is that the VLAN IDs are consistently defined in the router, the switch, and the AP. I'll use VLAN 30 for the AP. And, I'm going to assume that you're using port lan1 for the uplink, but if that's not true, you should be able to see how to adapt my recommendations:

Here's what you need to edit/add/delete on the AP.

Add bridge-VLANs:

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan1:t'

Edit the lan interface to use br-lan.1 like this:

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.10.3'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.10.1'
	list dns '192.168.10.1'

Edit the guest network to be unmanaged and use br-lan.30. It will look like this when done:

config interface 'guest'
	option device 'br-lan.30'
	option proto 'none'

Delete this:

And delete this:

grond:

config zone
	option name 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config rule
	option name 'Guest_Allow_DHCP'
	option src 'guest'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'Guest_Allow_DNS'
	option src 'guest'
	option dest_port '53'
	option target 'ACCEPT'

Reboot and test.

grond · May 10, 2025, 4:27pm

Not yet...

This is my latest configs on AP1:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'lan1'
	option macaddr '***'

config device
	option name 'lan2'
	option macaddr '***'

config device
	option name 'lan3'
	option macaddr '***'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'lan3:t'

config interface 'lan'
	option device 'br-lan.1'
	option proto 'static'
	option ipaddr '192.168.10.3'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.10.1'
	list dns '192.168.10.1'

config interface 'guest'
	option device 'lan3.30'
	option proto 'none'

config device
	option name 'wan'
	option macaddr '***'

/etc/config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

psherman · May 10, 2025, 4:32pm

This should be br-lan.30

And also make sure your switch has vlan 30 tagged on the appropriate port.

grond · May 10, 2025, 6:36pm

Ops. Great, AP1 works now!

I tried to replicate to AP2, but I'm at a loss at this part:

config bridge-vlan
        option device 'br-lan'
        option vlan '30'
        list ports 'lan1:t'

Since AP2 is connected to AP2 via a wireless backhaul, I don't know what I should use as port.
Otherwise /etc/config/network is identical to AP1 (except of course for IP and MAC addresses)

grond · May 12, 2025, 4:14pm

The issue of VLAN over wireless belongs in another post.

I marked this post as solved - because it is! Many thanks to psherman!

system · May 22, 2025, 4:14pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.